Method and apparatus for removing harmful software

ABSTRACT

Embodiments of the invention address the problem of removing malicious code from infected computers.

BACKGROUND

Malicious programs, or malware, fall into many categories. Trojans orbackdoors provide remote access to the machine across the network.Spyware attempts to log information (e.g. browsing habits, logins,passwords) and then transmit that information to a third party, who canuse that information for personal gain. Other programs such as worms orviruses cause damage by self-replicating amongst machines. Malwarecauses considerable damage to enterprises, measured in loss ofinformation, brand, and computer administration costs.

Malware often evades detection by stealth. Malware also evades removalby actively resisting removal, or by being so complicated that it isdifficult to remove all traces of the malware.

One common methodology for malware removal is signature based. Companiesobtain samples of the malware, (either from their customers, or byscanning the Internet for the malware), analyze the code and generate a“signature” and a cleanup script. The signature is generally a list ofunique identifiers of the executables involved, such as a hash of all orpart of the executable image on disc. A hash is a compact, uniquerepresentation of the data in the file, with the property that differentexecutables will result in different hashes. The signature can alsoinclude lists of other pieces of data associated with the malware, forexample configuration files and configuration data written in theconfiguration database on the computer. On the Windows operating system,this database is called the registry. The registry contains a largeproportion of the configuration data for the computer, for examplespecifying which programs survive reboot. The cleanup script is a listof processes to kill, programs to remove from the filesystem, andconfiguration data to delete or restore to default values. Cleaning isan example of removing.

Unfortunately, this signature-based approach has some significantproblems. The first problem is that it is easy for the signature to beout of date. Malware on infected machines is often connected to theInternet and can easily update or morph itself, making the malware onthe infected machine different from the sample analyzed at the securityvendor's laboratory. The malware on the infected machine evadesdetection attempts based on the signature which was developed from theanalyzed sample. This results in incomplete and unsatisfactory removalof the malware.

Second, malware is easily customized to each machine, for example bychoosing a random file name. This machine-specific customization makeseach individual infection different from the malware analyzed in thelaboratory, and again results in incomplete and unsatisfactory removal.

Third, malware programs can actively resist removal, for example byhaving two programs that watch and restart each other should one bekilled, or by loading themselves into system processes, thereby lockingthe executable so that the executable cannot be deleted. In anotherexample, the configuration data is automatically monitored by malware,which rewrites any changes made to the configuration data. The removalprogram has to run with sufficient privileges to guarantee control overuser mode process and provide an avenue to deal with kernel modemalware, preferably in the kernel of the operating system. The kernel isthe part of the operating system that controls access to systemresources and schedules running processes, and thus has total control ofthe computer. Most signature based schemes are not implemented in thekernel, as the scanning signature based schemes require to matchsignatures with the data on the computer would not be very efficient toimplement in the kernel. A consequence of this is that signature basedschemes are not in a good position to remove recalcitrant malware, againresulting in incomplete and unsatisfactory removal.

Other solutions to malware removal are based on the idea of “undo”,whereby the actions of untrusted programs are recorded, and can be“undone” to restore the system to a clean state. Because it is difficultto know which programs to trust, “undo” systems tend to end up recordingall the actions of the majority of the programs on the system, and thusrequire large amounts of storage. “Undo” schemes also fail to addressthe problem of identifying all portions of the malware.

SUMMARY

Embodiments of the invention address the problem of removing maliciouscode from infected computers.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an example of an architecture of a system that detects andremoves malware from a computer.

FIG. 2 shows an example of a process flow that updates nodes of thegraph representing the processes and files of the computer.

FIG. 3 shows an example of a process flow for removing processes of thecomputer.

FIG. 4 shows an example of a process flow for removing files of thecomputer.

FIG. 5 shows an example computer apparatus and computer code medium thatare embodiments of the invention.

DETAILED DESCRIPTION

Various embodiments couple a detection mechanism of malicious softwarewith a graph structure, thereby improving on either mechanism used inisolation. The graph structure improves the accuracy of the detectionmechanism. Malicious programs tend to consist of multiple pieces.Malware could have a dropper or installation program, a program with apayload, and perhaps extra modules. For example, programs that install akeyboard logger using the Windows Hook mechanism, a well known techniqueto gain access to keys typed on the keyboard to steal logins andpasswords, have an extra dynamically linked library or dll file.

These multiple pieces differ in how malicious they appear, whenconsidered independently. The installer probably behaves in roughly thesame way as any legitimate installer, by copying files and setting upconfiguration data for the payload carrying part of malware. A detectionmechanism attempting to detect all of these pieces independently wouldhave to a very low threshold of sensitivity, which would likely resultin many false positive mistakes, or detecting normal programs asmalicious. Such errors are undesirable and lead to the removal of usefulsoftware and wasted time of the user. Ultimately, they may cause theuser to stop using the malware detection/removal software.

However, by combining the detection method with a graph, the sensitivitycan be set high. False positives are reduced, though perhaps only thepayload part is detected. However, the graph structure percolates fromthe node representing the payload to all the other pieces of malware,therefore detecting associated pieces of the malware. The associatedpieces are not malicious when considered independently, but aremalicious when associated with software that is strongly malicious.Thus, the combination of detection with a graph improves detectionwithout increasing the rate of false positives.

This combination is also effective at removing harmful software, even ifthe vendor of the security program has not released a security updatespecific to the harmful software after the initial installation. Thiscombination is also effective at removing software, regardless of theabsence of an uninstall script.

Additionally, the detection mechanism improves the accuracy of theremoval process. If a process is determined to be malware, although thatinformation is easily percolated around the graph, the difficulty restsin knowing where to stop the percolation. Without an accurate stoppingcondition, either not enough is removed, or too much is removed.However, an assessment of each node from the detection mechanism enablesan intelligent stopping condition that takes into account the likelihoodthat each node is malicious. The result is accurate removal.

In addition, prior user approval of events does not prevent accuratedetection of malware, and does not inoculate potential malware formbeing identified as malware. Thus, the technology is effective in bothembodiments with and without user approval of events (whether or notcaused by harmful software).

FIG. 1 shows an example of an architecture of a system that detects andremoves malware from a computer.

Events are measured from the operating system kernel and using othersensors. These events are converted into a standard format, the“Behavioral Event”. In the standard format, these events share the samedata structure: a name, a source, and a target, where the source andtarget are the identifiers of the nodes affected by the event. Nodes arefiles and processes on the computer, as discussed below. Relationshipscorrespond to the edges that connect the nodes of the graph. For thecase where an event triggers a new relationship, e.g. a processinstalling an executable, the source contains the identifier of theprocess, and the target contains the identifier of the new executable.For the case where an event triggers the change in a characteristic,such as an event generated when a process does not have a visiblewindow, the source is the identifier of the process that gets thecharacteristic, and the target is left empty. Other behaviors triggeringthe event can be specified.

The behavioral events are mapped into new relationships orcharacteristics using a behavior event processor. This takes as input adata structure that specifies the mapping between behavioral events andrelationships/characteristics. The mapping is many to many, as forexample many events could generate a registers relationship. Uponreceiving a behavioral event, the behavior event processor determineswhat changes to make to which nodes, causing those those nodes to bealtered. Nodes to be changed are placed in a node change queue forprocessing by a graph rule processor.

The following is a more specific description of this process.

ProcessScanner Events 120, Tracer Events 122, and Network Scanner Events124 generate, or detect, events differently. Harmful software isobserved generally based on runtime events, with some events based onpolling, such as events generated by ProcessScannerEvents 120. Theprocess scanner events are generated by periodically polling the list ofrunning processes in the system and looking for certain characteristics.ProcessUserEvent Threads 114 and Process Scanner Threads 116 split theworkload for event processing, depending on whether a process that isvisible by the tracer from the kernel is also visible from user space,periodically scanning the processes. ProcessUserEvent Threads 114receives events from the Process/Executable User Events Queue 112, whichis filled by Process Start Events 100. Tracer Events 122 are receivedthrough hooking the kernel. Network Scanner Events 124 scans throughactive connections on a box from the Network Scanner 118. The networkevents can come out of the tracer as well.

The events generated by ProcessScanner Events 120, Tracer Events 122,and Network Scanner Events 124 are queued in the Behavior Event Queue130. The queued events are analyzed by Behavior Event Processor 132. TheBehavior Event Processor 132 forwards node changes such as new orremoved characteristics, new nodes and relationships, and removed nodesand relationships to be queued at Node change Queue 136. These queuednode changes are handled by Graph Rule Processor 142. The Graph RuleProcessor 142 interacts with user interface processing 146 via promptqueues 144, and interacts with cleanup engine 150 via clean queue 148.

The Behavior Event Processor 132 has a malicious software detector thatcombines the behaviors exhibited by nodes to generate a score that is anindication of the maliciousness of each node. The Graph Rule Processor142 is a tracking system that maintains a graph of how the variousexecutables and processes on the system interact with one another, forexample who installs whom, who spawns whom, who writes configurationdata for whom etc. The Graph Rule Processor 142 also maintains for eachnode a list of the configuration data associated with the node, both thedata the node has written, and the data that is associated with thenode.

FIG. 2 shows an example of a process flow that updates nodes of thegraph representing the processes and files of the computer. Inparticular, FIG. 2 shows an example of Graph Rule Processor 142 of FIG.1.

The graph rule processor applies the rules to the graph nodes. Given achange to a particular node, or a new link added to the graph, the graphprocessor evaluates the rules for the affected nodes, and applies theactions defined in the rules to the relevant nodes. If those nodeschange as a result of the rules, then these changed nodes are alsoconsidered to see if these changed nodes trigger further changes. Thisprocess then continues recursively until all the queued changes haveoccurred. As processes run on the system, the actions of the processesare monitored and result in creation of the graph. For example, ifprocess a.exe spawns b.exe, if the nodes do not exist already, the graphis amended to add nodes for the executables a.exe and b.exe, processesa.exe and b.exe, and a “spawn” link from the process node for a.exe tothe process node of b.exe.

When a node is deemed to be malicious and marked for cleaning, the graphrule processor places that malicious node on the clean queue, to behandled by the removal engine. In addition, to enable interaction withthe user of the computer, the node may also be placed on a queue to theuser interface processing. The reply from the user is placed in a secondqueue, which is also serviced by the graph processor.

The following is a more specific description of this process.

Changed nodes 210 are received by a queue of changed nodes 210. Thesubsequent node to be processed is served by the processor, where theprocessing 214 checks each rule condition against the node. If a rulecondition evaluates to true, the processor applies the action. If theaction causes a change in any node's characteristics, then that changednode is added to the change queue 212 for processing. As part of theprocessing, the processor can calculate whether the node has a highenough score to trigger being classed as malicious, by running adetection algorithm 216. If the node is not malicious, the next node inthe change queue 212 is processed. Otherwise, the node is marked to beremoved, and placed on the clean queue 224 for removal by the cleaningengine. In 226, alternatively the node can be placed on a promptingqueue 228 to interact with the user of the computer. The promptingrefers to prompting the end user whether or not the end user wants toremove the node via a user interface 230. The second queue of userreplies is not shown.

The detection algorithm 216 runs in the kernel of the operating system.The detection algorithm 216 detects a subset of the actions of allrunning processes, and also controls those running processes by beingable to kill or suspend those running processes. Running from the kernelgives accurate information, as opposed to detection in user space, whichcan be tampered with by other user space processes, in particular themalware itself. Running from the kernel also provides sufficientcontrols to be able to kill and remove arbitrary programs.

An example detection mechanism is described in U.S. Patent ApplicationNo. 60/658,441 filed Mar. 4, 2005, titled “Method and Apparatus forDetecting Harmful Software” which is incorporated by reference. Thisexample detection mechanism distinguishes between harmful software andsafe software based on observing combinations of characteristics. Inseveral approaches described herein, such characteristics are inheritedbetween different nodes and passed among the nodes.

Rather than relying on an autonomous detection algorithm, the detectioncomponent in some embodiments is triggered by user selection.

When a particular process is found to be malicious, autonomously fromthe detector or from a program matching a signature, or manually from auser indicating that a particular process is malicious, then thatinformation is percolated around the graph. This percolation ensuresthat not only a specific piece of software determined as malicious, butalso the associated programs (such as the installer and child processes)as well as the associated configuration data, are all automaticallyremoved. In this way, after a node is marked as malicious and thus to beremoved, the malicious code is completely removed from the system.

The graph and detection component are continually evaluated andmaintained throughout the normal running of the computer and during theremoval process. As a result, the system remains up-to-date, becausewhat will be removed is based on what has actually happened up to thattime. Another result is that the system is customized to the particularmachine. Any attempts by the malware to resist cleaning (e.g. byspawning other processes) are added to the graph as new nodes andremoved as part of the cleaning process. The storage requirements arekept low by carefully choosing parts of the system to track and record.

The graph rule processor 242 passes information around the graph. Thespecification for how this information is passed around the graph isdefined by a set of rules, corresponding to the edges connecting thenodes. The information passed around the graph is ultimately stored as aset of characteristics for each node, which also serves as a source ofinformation to pass around the graph. The set characteristics defined bythe metadata is extensible.

The rules pass round information on which executables, processes orconfiguration data needs to be removed. The rules also pass otherinformation around. For example if an executable is marked as TRUSTED,that information is passed to associated processes linked to theexecutable via an “instance_of” relationship. The associated processesthereby inherit that characteristic value.

In general, a rule consists of a condition and an action, either ofwhich could be on either end of the relationship. The condition takes avariety of forms, as follows:

A condition on a set of characteristics, for example a characteristicsuch as TO_BE_CLEANED is on, and another characteristic is off.

A condition on an attribute of the node (e.g. name=cmd.exe)

A condition triggered when the process associated with the node dies

A condition that is always true. A condition on the command linearguments of a process node.

The action takes a variety of forms, as follows:

Set or remove a particular characteristic (or a set of characteristics)

Inherit the value of a characteristic from the other end of therelationship

Merge a set of characteristics with the other end, i.e. take a Boolean“or” of the values of each characteristic at either end of therelationship

Set the values at the action end to the result

Inherit the relationships associated with the node, i.e. to copy and addnew relationships from the action node to nodes connected to othernodes.

These sets of conditions and actions provide a powerful language withwhich to specify how characteristics are passed around the graph by theGraph Rule Processor 242.

Examples of rules for various relationship types are as follows:

Spawn

If source:TO_BE_CLEANED, set target:TO_BE_CLEANED

If target:TO_BE_CLEANED, set source:MALWARE_ACTION

Processes spawned by a nodeto be cleaned are marked to be cleaned, andthe parent of a process to be cleaned is marked as performing a malwareaction.

Spawn

If source Execname=“cmd.exe” inherit target WINDOW_VISIBLE

If a process is running in a command line window and the window isvisible then the process is visible.

Code Inject

If target:TO_BE_CLEANED, set source TO_BE_CLEANED

If a process has been code injected and is to be cleaned, then theprocess that injected it is also marked to be cleaned.

Instance_of

If source:TO_BE_CLEANED, set target:TO_BE_CLEANED

If target:(TO_BE_CLEANED AND NOT MEMORY_COMPROMISED), setsource:TO_BE_CLEANED

If an executable is marked to be cleaned, then all children of theexecutable are marked to be cleaned. If a process is marked to becleaned, the executable but not associated processes are marked to becleaned, if there is no evidence that the memory of the process has beentampered with, e.g. by having foreign code injected into the process.

FIGS. 3 and 4 show examples of process flow for cleaning processes andfiles of the computer.

Process nodes are removed from the graph when processes die, but onlywhen the process has no living children (in a “spawn” relationship). Aspart of the node metadata, a reference count of children is maintained,such as an integer which is incremented when a child process is spawned,and decremented when a child process dies. The node can be removed whenthe process has died and its reference count is zero.

Executable nodes are removed when the executable nodes have no livingchildren (in an “instance of” relationship), and the executable image ondisk no longer exists. As part of the node metadata, a reference countof children is maintained, such as an integer which is incremented whena child process is instantiated, and decremented when a child processdies. The executable image no longer exists, for example when theexecutable has been removed. This can be checked at regular intervals orat shutdown or restart.

In the Windows operating system, some programs run as “services”. Theseare executables that are managed by the operating system, using theService Control Manager. This program can start, stop and configure theother service programs. While this mechanism is usually used for systemservices e.g. remote procedure call, printing etc., it is also used forprograms such as web servers and databases. Service programs are handledby the same queuing mechanisms, with the difference that calls to theService Control Manager are made to suspend, stop and remove theservice.

For the particular case of passing information around for removal,principles that are followed in generating the rules for cleaning thegraph.

Anything done by a malicious node is automatically malicious. SoTO_BE_CLEANED or equivalent characteristics are passed down throughrelationships “downstream” i.e. where the malicious node is the sourceof the relationship.

Any node that is directly upstream of the malicious node (e.g. theprocess that spawned it, or the process that installed it), is treatedas suspicious. This is accomplished by modifying the detectionalgorithm. In the detection algorithm, a node is found to be malware ifthe node has a large enough score and the node has taken an actionassociated with malicious code (e.g. using the network, installing akeylogger etc.). Suspicious nodes are processes that have taken amalicious action. Being associated with malware is a sufficientcondition for a process to be detrmined as malware. Suspicious nodes canhave extra characteristics added that increase the score of the node.Suspicious nodes with a large enough score also are determined at thecomputer to be malware.

The cleaning algorithm takes nodes off the clean queue and then uses aset of internal queues to complete the cleaning. The processing in thesequeues takes care of suspending processes, killing processes, removingconfiguration data, and removing executables from the file system. Theprocessing is designed to operate so that each queue and the processingof the queue operate asynchronously. The processing operates in strictpriority order, suspending before killing before unregistering beforeremoval.

When a node is removed from the clean queue, the type of the removednode is checked. If the removed node is a process node, then the removednode is added to the suspend and kill queues. If the removed node is anexecutable node, then the configuration data is added to the unregisterqueue, and the executable itself is added to the removal queue. Theprocessing involved with servicing those queues is detailed in thefollowing figures and text.

FIG. 3 shows an example of a process flow for cleaning processes of thecomputer.

Nodes to be cleaned 312 are sent to a clean queue 314. Nodes removedfrom the clean queue 314 are placed in a relevant queue 316, the suspendqueue 322 or the kill queue 342.

The role of the suspend queue 322 is to suspend processes so that theprocesses cannot take any actions while being queued to be killed.Suspending processes helps with handling the delays that might beinvolved with killing multiple processes. Processes added to the suspendqueue 322 are first checked to see if they are not already suspended324. If yes, then processing terminates for that node. Next, the processis compared against a “do-not-kill” list of system processes that cannotbe killed or suspended without affecting system stability 326. If theprocess is on this list, a flag is set that the system needs to berebooted 328 and processing terminates. If the process is free to besuspended, the process is suspended 330.

The kill queue 342 is responsible for killing the processes, freeing uptheir resources and allowing them to be removed. On the Windowsoperating system it is not possible to modify the executable on disk ifthat executable is loaded into memory. Processing for the kill queue 342is similar to processing for the suspend queue 322. Processes added tothe kill queue 342 are first checked to see if they are not alreadykilled 344. If yes, then processing terminates for that node. Next, theprocess is compared against a “do-not-kill” list of system processesthat cannot be killed or suspended without affecting system stability346. If the process is on this list, a flag is set that the system needsto be rebooted 348 and processing terminates. If the process is free tobe killed, the process is killed 350.

FIG. 4 shows an example of a process flow for cleaning files of thecomputer.

The general approach taken in the removal algorithm is to remove theconfiguration data from the registry (so that the executable/module willnot be loaded post reboot), reboot, and then delete theexecutable/module. However, there is also a facility whereby programscan be alerted when registry keys change, and rewrite keys that wereremoved. If the executable that is doing the rewriting can be killed,this is not a problem, and the removal algorithm can be sure that thestate has been removed from the registry and that the module will not beloaded and locked from removal post reboot.

Nodes to be cleaned 412 are sent to a clean queue 414. Nodes removedfrom the clean queue 414 are placed in a relevant queue 416, theunregister queue 422 or the removal queue 442.

The unregister queue 422 is responsible for removing the configurationdata associated with the node. The configuration data is a set ofregistry keys that either were written by the process, or point to thenode. The processing involves saving the copy of the registry keys forsubsequent restoration, deleting the data and then terminating.Processes added to the unregister queue 422 are first checked to see ifthey are not already unregistered 424. If yes, then processingterminates for that node. Some registry keys need to be returned totheir default values rather than being removed 428. Returning registrykeys to default values is accomplished with a list of special cases 426.In order to catch processes that attempt to reinstall themselves, theremoved keys are written to a “quarantine” list 432, that can beconsulted as part of the event analysis. In addition, some configurationsettings need to be protected to disallow further writes to theseconfiguration settings. This is accomplished by adding the keys to an“aircover” list 432. If the node is not a special case, prior todeletion, the old data is saved 430, and the quarantine list or aircoverlist is updated as appropriate. In another embodiment, a list ofexecutables is maintained, which should not be written into theregistry.

The removal queue 442 is responsible for removing executables and otherfiles from the file system. Processes added to the removal queue 442 arefirst checked to see if they are not already removed 444. If yes, thenprocessing terminates for that node. Because some files cannot beremoved when loaded by a process, the processing checks to see if thefile can be removed 446, and if the file cannot be removed, theprocesses that are locking the file are placed on the suspend and killqueues 448. The file is then added to a compressed archive and thendeleted from the file system. The file subsequently can be restored fromthe archive should a mistake have been made. The files removed arerecorded on the “quarantine list” in order to detect reinstalls orquarantine list 450.

Aircover operates as follows. In the Windows operating system, mostsystem configuration occurs in the Registry. On reboot, the operatingsystem queries the registry to determine which programs to load. When aprogram is running, or a module is loaded, it is impossible to deletethe executable from the file system, as the file on disk is locked. Ifthe process rewriting the configuration data is one that cannot bekilled, for example a system process with a rogue code module loadedinto the system process, then there is a problem. The removal algorithmcannot be sure that the state has been removed, and cannot kill theprocess that is rewriting the state.

The solution to this is to prevent processes from rewriting keys tosensitive parts of the registry, so ensuring that post reboot, themodule will not be loaded and can be removed. This is accomplished bymaintaining an aircover list of registry keys where writes are denied.The aircover list can also include files that should not be allowed tobe created. The list does not need to be persisted post reboot.

The following discussion provides more details about graphs.

The nodes on the relationship graph are the processes and executables onthe system. The node for the executable corresponds to the executablefile on disk. The node is identified by the file path, and optionally achecksum (hash) of all or part of the file. The process node isidentified by the process id of the process assigned by the operatingsystem. The process node is also optionally identified by the creationtime of the process, because in some operating systems, such as Windows,the process ids are reused once a process has died. Thus, adding thecreation time guarantees a unique identifier. Nodes labeled “system” arepseudo processes for the operating system kernel, used for accountingpurposes.

In normal cases, the process of an executable runs the code in theexecutable and thus behaves in a way constrained by that code. Theexecutable and process nodes are separated, even when the process is aninstantiation of the executable, because foreign code can be injectedinto running processes. That process then runs code not associated withthe executable, causing the process to behave differently.

Some processes on the Windows operating system act as “hosts” forscripts, executable files, and other types of files. For example, therundll32.exe process allows a dll, a type of executable file thatnormally cannot be run as a process directly, to run as a process.Another example is a .bat file, which is a script file that is normallyrun by a cmd.exe process. These are handled as a set of special cases,making the executable node on the graph correspond to the script, andthe process node correspond to the host process.

The relationships and characteristics are defined through metadata andcan be added with out modifying the code.

The edges of the relationship graph indicate the relationships betweenthe nodes. These links are normally directed, with a clear definition ofsource and target, but do not have to be so. Example relationship typesare process-file relationships that exclude instance-of relationships,instance-of type process-file relationships, process-processrelationships, and file-file relationships. The relationships include,but are not limited to:

Installs. A process wrote a file to disk, such as an executable or ascript file. This is a link between a process node and an executablenode.

Spawns. A process spawned (started) another process, with the originalprocess being the parent of the new child process. This is a linkbetween two process nodes.

Registers. A process wrote some configuration data associated with aparticular executable, for example a process writing a key in theregistry that causes another executable to survive a reboot. This is alink from the writer of the data, to the newly registered executable.

Code Inject. A process wrote into the memory of another process, socausing the second process to run foreign code. This is a link from oneprocess node to another.

Instance_of. A link from an executable to the running instances(processes) of that executable, for example from the node fornotepad.exe to the notepad.exe processes running in the system.

Kills. A link from one process to another saying that the source hasattempted to kill (or shutdown) the other process.

Same Hash. An example of an undirected link, put between two executablenodes sharing the same hash, i.e. they are copies of one another.

Characteristics are tracked for each node of the graph. The graph passesinformation about the characteristics around the graph, depending on therules. The characteristics include, but are not limited to:

IMAGE_CHANGED. The executable file was updated. This implies that theexecutable has been modified on disk since monitoring this executable.This could be because the executable has been updated as part of anormal software update process, or in the worst case that the executablehas been modified by a malicious program to run malicious code (forexample, a file infecting virus).

SURVIVE_REBOOT. The executable is configured to automatically restart.On each reboot, Windows will automatically run the executable. Maliciousprograms generally need to survive reboot in order to be effective atstealing information from the user. However, many legitimate programsalso survive reboot.

GUESS_SURVIVED_REBOOT. The executable appears to survive reboot as itruns immediately after the start of the Service Control Manager. Whilethe executable was not explicitly registered to survive reboot, it didstart immediately after the system was started, and thus appeared tosurvive reboot. Malicious programs generally need to survive reboot inorder to be effective at stealing information from the user. However,many legitimate programs also survive reboot.

PARENT_SURVIVED_REBOOT The executable is spawned by a process thatsurvives reboot. The executable is the child process of a process thatsurvived reboot, so that it itself probably survived reboot. Forexample, if program TROJANSTARTER.EXE is set to survive reboot, and whenit runs it spawns THETROJAN.EXE, then THETROJAN.EXE will actuallysurvive the reboot, even though it was not explicitly registered to doso. This characteristic captures this behavior. This can be indicativeof trojan behavior, as they sometimes use this level of indirection toavoid detection. It is relatively rare for normal programs to have thischaracteristic.

HAS_BEEN_ORPHAN The executable is an orphan process. The process is anorphan: its parent process has died. This is relatively rare for normalprograms, but common in malicious programs.

IS_SPAWNER. The executable spawns other processes. The executable hasspawned child processes.

ACTION_USED_NETWORK. The executable accessed the network. The executableused the network, either as a client accessing services on othermachines, or listening on a certain network port. Malicious programsneed to use the network to communicate with their controllers, send outinformation, receive software updates etc. However, many legitimateprograms also use the network.

ACTION_UNUSUAL_NETWORK. The executable has unusual network activity.Programs that have this characteristic are already protected throughapplication protection (either there is a profile for the application,or it is one protected after being discovered with applicationdiscovery). In this case, a profile will have been learned of how thisexecutable uses the network. This characteristic means that theexecutable has used the network in a way that is anomalous (differentfrom the previously learned behavior). This could mean that theapplication has been compromised. Possibly “The executable file wasupdated or it has had rogue code injected into its memory” (see “Theprocess has had possibly malicious code injected into it by anotherprocess”).

WINDOW_NOT_VISIBLE. The executable does not display a window on thescreen. The executable does not have a window that is visible on thedesktop. This implies that the program is trying to be stealthy, andinvisible to the user. The majority of malicious programs will have thischaracteristic, however many system processes do not have visiblewindows.

PROCESS_IS_HIDDEN. The process is hidden from Windows Task Manager. InWindows, it is possible for programs to interfere with other processesby injecting code into their memory space. This is also known as “dllinjection” as the code injected is usually contained a dll file. Onecommon use for this code is to hide information from those programs. Forexample, it is possible to hide a running process from the Windows TaskManager (which normally lists all running processes), by injecting codeinto the Task Manager's memory space to modify how it displays processesto the user. A malicious program can use this technique to remain hiddenfrom the user.

SMALL_IMAGE_SIZE. The size of the executable file image is very small.Malicious programs try to be stealthy, and one way to be stealthy is tominimize the impact on the underlying system. They are thus often small,lightweight programs. This characteristic means that the executablessize is small. However, many normal executables are also small (such assome system processes, utilities).

WRITES_TO_WINDIR. The executable attempted to write to the Windowsdirectory. The executable created other executable files in the Windowsdirectory. Often, malicious programs install themselves in the Windowsdirectory, as that directory contains many executables, and it is easyto remain unnoticed there. This is an indication of malicious behavior.However, some legitimate installation programs also copy executables tothis directory.

WRITES_TO_PGM_FILES. The executable attempted to write to the ProgramFiles directory. The executable created another executable file in theProgram Files directory. This is the directory that most normal programsare installed by default, and would indicate that this program is likelyto be a normal installation program. However, some malicious programs(particularly adware) install themselves in this directory.

EXEC_FROM_CACHE. The executable is executed from a cached area.

EXEC_FROM_WINDIR. The executable is executed from the Windows directory.

EXEC_FROM_PGM_FILES. The executable is executed from the Program Filesdirectory.

OTHER_PATH. The executable did not execute from the Program Filesdirectory, Windows directory or a cached area.

The above four characteristics are a report of where in the file systemthe executable resides. While this is not a strong indicator ofmalicious intent, it provide some hints about the type of executablethat is running. Executables that run from the Program Files directoryare likely to be legitimate, because that is the default directory wherethird-party software is installed. Some adware programs also run fromthis directory. Executables that run from the cache are more suspicious.Either they have been downloaded and run directly from a browser oremail client, or they are programs running from the cache to hidethemselves. Executables that run from the Windows directory can besuspicious. Often, malicious programs run from the Windows directorybecause there are many executables in that directory and it is easy toremain undetected there. However, most of the core windows executablesand utilities run from this directory.

IS_SHADOW The executable has the same name as a legitimate executable.This is evidence of a common mechanism that trojans and other maliciouscode use to hide themselves on a computer. They run with the same nameas a legitimate executable, but are placed in a different part of thefile system. For example, the real SERVICES.EXE (the legitimate WindowsService Control Manager) runs from C:\WINDOWS\SYSTEM32\SERVICES.EXE. Atrojan many call itself SERVICES.EXE but be installed asC:\WINDOWS\SERVICES.EXE. If viewed in the Task Manager (which does notshow the full path to the executable), both will look like legitimateSERVICES.EXE processes. An executable with this characteristic issuspicious. A known legitimate executable that occasionally has thischaracteristic is the Java SDK and JRE. Java is often installed in manydifferent locations on a computer, and there are also commonly more thanone installed version. This can result in some Java processes havingthis characteristic.

P2P_CODE_INJECTION. The executable attempted to inject code into theaddress space of another process. The executable forcibly attempted toinject code into other running processes, forcing them to run foreigncode. This is also known as dll injection. This is generally evidence ofmalicious activity. The injected code could be the malicious payload, soa compromised Notepad process, for example, could be logging keys andreporting stolen logins/passwords to an attacker. Alternatively, theinjected code could be a rootkit trying to hide the real maliciousprocess from detection.

HAS_DOUBLE_EXTENSION. The file name of the executable has a doubleextension. The executable is in the form MALWARE.JPG.EXE, so it has twoor more three-letter extensions. Windows is configured by default tohide known file extensions, so in this example the file would be shownon the screen as MALWARE.JPG. This might fool an unsuspecting user thatthey were opening a JPG or image file, when in fact they were opening anexecutable. This is highly suspicious.

WRITES_TO_REGISTRY_STARTUP. The executable attempted to write to thestartup area of the Registry.

WRITES_TO_FS_OF_STARTUP_AREA. The executable attempted to write to thestartup area of the file system.

The previous two characteristics indicate that the executable modifiedeither portions of the registry or file system where executables aremarked to be automatically restarted by Windows. This is suspiciousbecause malicious programs must survive reboot to be effective on auser's machine, and they modify these areas to do so. Often theycontinually modify these areas to ensure that they continue to remain onthe system. The normal programs that modify these places areinstallation programs, and some security programs (such as anti-virus,anti-spyware).

TERMINATE_PROCESS. The executable terminates another running process.Some malicious programs attempt to terminate security programs (such asanti-virus, anti-spyware) running on the machine in order to avoiddetection. This characteristic is flagged if a program is detectedattempting to kill others. It is rare for normal programs to forciblykill others, apart from security programs (anti-virus, anti-spyware),and utilities such as Task Manager.

LOAD_KERNEL_MODULE. The executable attempted to load a kernel module.The executable attempted to alter the functioning of the operatingsystem kernel by forcing it to load a kernel module. Kernel-levelrootkits, which are powerful pieces of malicious software are kernelmodules, and have to be loaded in order to run correctly. Thischaracteristic thus could indicate the installer of a rootkit. There arenumber of normal programs that install kernel modules, notablyanti-virus software, firewalls, and tools like Process Explorer, Regmonand Filemon from http://www.sysinternals.com.

PROCESS_MEMORY_COMPROMISED. The executable is a process code injectionvictim. This indicates that the process has had its memory compromised;another process has injected code into it. Code injection of this styleis also known as dll injection. This means that the actions of theprocess may not be what they were originally programmed to be, as theprocess will be running the injected code. For example, a Notepadprocess could be running code to cause it to listen on a certain networkport and allow remote access to the computer, which is not within thenormal actions of a simple text editor. Generally a process with thischaracteristic is suspicious—it has been changed to run some other code.

PARENT_IS_VISIBLE_CMD_SHELL. The executable is spawned by a visible cmdwindow shell. Visibility is a strong indicator that a program is notmalicious: most malicious software tries to be stealthy and hide fromthe user. This characteristic shows that the process is likely to bevisible as it was spawned by a visible command shell window.

KEYLOGGER_WINDOWS_HOOK. The executable attempted to install a keyloggerby a legitimate mechanism. Malicious programs install keyloggers tocapture keystrokes and steal logins, passwords, and credit card numbers.Some legitimate programs install keyloggers to monitor whether the useris using the computer or not (for example, instant messaging programsthat maintain a status). These legitimate programs often use a style ofkeylogger called a Windows Hook. This is a well-documented and acceptedmethod for logging keys. This characteristic means that the program islogging keys using a legitimate mechanism. Any keylogging is suspicious,but this is a less suspicious way of doing it, at least compared to thefollowing characteristic.

KEYLOGGER_GETKEYBOARDSTATE. The executable attempted to log keys; likelySpyware. The program attempted to log keys using a non-standard method,and is likely to be malicious. See “The executable attempted to installa keylogger by a legitimate mechanism.” Programs that log keys can stealinformation such as logins, passwords and credit card numbers.

MODIFIES_HOSTS_FILE. The executable attempted to modify the hosts file.

MODIFIES_AUTOEXEC_BAT. The executable attempted to modify theautoexec.bat file.

MODIFIES_CONFIG_SYS. The executable attempted to modify the default setof drivers loaded at startup time.

The previous three characteristics are given when the executableattempts to modify configuration files associated with networking (hostsfile), Windows startup (autoexec.bat file), or the default set ofdrivers loaded (config.sys file). While occasionally these files mightbe altered by an administrator, a program modifying these files issuspicious. The hosts file is an important file for configuringnetworking on the computer. By writing entries in the file, programs canredirect certain web sites to other places, without the user'sknowledge. For example, all queries to www.google.com could beredirected to www.malicious-site.com. Autoexec.bat is a file thatdetermines how Windows starts up. Malicious programs can modify the fileto force Windows to start malicious programs at startup. The defaultdrivers file (config.sys) can be modified so that a rogue kernel moduleis loaded, which could enable rootkit functionality.

TURNS_OFF_WINDOWS_FIREWALL. The executable attempted to turn off theWindows firewall. The program attempted to turn of the Windows firewallinstalled by default in Windows XP SP2. Turning off the firewall wouldallow a malicious program to use the network without alerting the user.This action is suspicious.

HAS_SHORTCUT_IN_START_MENU. The executable has a shortcut in the startmenu. The executable appears to have been installed correctly, and isthus likely to be legitimate. Some adware programs are installedcorrectly, but for the most part this is an indicator of a normalprogram.

SUFFICIENT. This characteristic implies that a process is suspicious, inparticular that it has some how been involved in spawning, registeringor installing a node that has been subsequently found to be malicious.This is passed by the relationship rules, and allows the involvement ofthe node with the malicious nodes to be included when calculatingwhether the node is malicious.

TO_BE_CLEANED. This characteristic means that the process or executablereferred to by the node is marked to be removed.

IS_MALWARE. Same as TO_BE_CLEANED.

MALWARE_ACTION. This characteristic means that the node has taken anaction that is associated with malware. For example, this characteristicis set when any of the following characteristics are set:ACTION_USED_NETWORK, KEYLOGGER_WINDOWSHOOK, KEYLOGGER_KEYBOARDSTATE,P2P_CODE_INJECTION, LOAD_KERNEL_MODULE. The exact set of actions thatcontribute to this characteristic is extensible.

IS_TERMINATED. This is set on a process node when the process dies. Thisis used as a marker to allow rules to be fired when processes die.

ALERTED_MALWARE. This is set on a node when it is found via thedetection system to be malicious. It is a marker that an alert has beengenerated for that node. The alert is generally sent to the user forconfirmation.

CONFIRMED_MALWARE. This is set on a node when a user has confirmed thathe or she wants to remove a particular piece of malware. i.e. one withALERTED_MALWARE set. It can also be set without a user if the system isin automatic removal mode.

INSTALLS_TOOLBAR. This is set when a process writes configuration datato cause the browser or the operating system to load a “toolbar”, whichis a piece of user interface functionality. For example a toolbar onInternet Explorer might allow the user to access a particular searchengine directly from the window, without having to visit the searchengine web page directly.

INSTALLS_COM_OBJECT. This is set when a process registers a particularexecutable as a COM object. COM is a Microsoft standard which allowsprograms to interact with one another using standard interfaces.

TAINTED_MALWARE. This characteristic implies that a process has had itsprocess memory compromised, (similar to PROCESS_MEMORY_COMPROMISED), andthat the action of the compromise caused the process to be detected tobe malware. This characteristic is used to ensure that only the processthat was the original cause of the compromise will generate an alert. Itthus helps cut down on interaction with the user.

INSTALLS_BHO. The executable installed a Browser Helper Object.

Example graphs are provided in the following tables. These graphsdemonstrate the successful identification of various componentsassociated with the effects of malware infection, which are thenremoved. Tables A and B are a graph of nodes and edges representingfiles and processes from a computer infected with the malware “Buttman”,a backdoor type program. Tables C and D are a subgraph of Tables A andB, with the nodes determined to represent files and processes of themalware “Buttman” and other related nodes. Tables E and F are a graph ofnodes representing files and processes from a computer infected with themalware “Lyricsdomain”, occurring when the computer visit the spywarefilled site lyricsdomain.com. Tables G and H are a subgraph of Tables Eand F, with the nodes determined to represent files and processes of themalware “Lyricsdomain” and other related nodes. Tables I and J are agraph of nodes representing files and processes from a computer infectedwith the malware “Nuclearrat”, here are tables for nuclear rat, a rat(remote access trojan) that injects code into internet explorer. TablesK and L are a subgraph of Tables H and I, with the nodes determined torepresent files and processes of the malware “Nuclearrat” and otherrelated nodes. Tables K and L illustrate that the malware process isidentified, but the uninfected executable is not removed. The number inparentheses after the file name is the pid. When the pid is 0, the nodeis executable. TABLE A (graph nodes of computer infected with themalware “Buttman”). node1 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/DESKTOP/ SUFFICIENTTROJANEXECUTABLES/BACKDOOR.BUTTMAN.EXE (0) SURVIVE_REBOOT TO_BE_CLEANEDnode2 C:/PROGRAM FILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXE IMAGE_CHANGED(0) SMALL_IMAGE_SIZE SURVIVE_REBOOT node3 E:/CLEANUP/GUI/ALERTMFC.EXE(0) node4 C:/PROGRAM FILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXEIMAGE_CHANGED (0) SURVIVE_REBOOT node5 C:/WINNT/SYSTEM32/CSRSS.EXESMALL_IMAGE_SIZE (0) node6 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (0) SURVIVE_REBOOTnode7 C:/PERL/BIN/PERL.EXE (0) SMALL_IMAGE_SIZE node8C:/WINNT/SYSTEM32/SPOOLSV.EXE SMALL_IMAGE_SIZE (428) WINDOW_NOT_VISIBLESURVIVE_REBOOT node9 C:/WINNT/SYSTEM32/CSRSS.EXE SMALL_IMAGE_SIZE (164)WINDOW_NOT_VISIBLE node10 C:/WINNT/SYSTEM32/CMD.EXEHAS_SHORTCUT_IN_START_MENU (840) IS_SPAWNER node11C:/WINNT//SYSTEM32/BROWSEUI.DLL (0) node12C:/WINNT/SYSTEM32/SERVICES.EXE SURVIVE_REBOOT (0) node13C:/WINNT/SYSTEM32/REGSVC.EXE SURVIVE_REBOOT (0) node14C:/WINNT/SYSTEM32/MSTASK.EXE MALWARE_ACTION (528) WINDOW_NOT_VISIBLESURVIVE_REBOOT ACTION_USED_NETWORK node15 C:/WINNT/SYSTEM32/CMD.EXEIS_SPAWNER (1004) IS_TERMINATED HAS_SHORTCUT_IN_START_MENU node16C:/WINNT/SYSTEM32/PSSUSPEND.EXE (0) node17 C:/WINNT/ICQMAPI.DLL (0)TO_BE_CLEANED node18 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXE IMAGE_CHANGED (668)WINDOW_NOT_VISIBLE SURVIVE_REBOOT node19C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXE SURVIVE_REBOOT (0) node20C:/WINNT/SYSTEM32/PSKILL.EXE (0) node21 C:/WINNT/SYSTEM32/SMSS.EXESMALL_IMAGE_SIZE (0) node24 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/DESKTOP/ KEYLOGGER_WINDOWS_HOOKTROJANEXECUTABLES/BACKDOOR.BUTTMAN.EXE:620 (620) SUFFICIENTWRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANED IS_TERMINATEDMALWARE_ACTION CONFIRMED_MALWARE WRITES_TO_WINDIR WINDOW_NOT_VISIBLEALERTED_MALWARE node23 C:/WINNT/SYSTEM32/WUAUCLT.EXE WINDOW_NOT_VISIBLE(844) node24 C:/WINNT/SYSTEM32/WUAUCLT.EXE (0) node25C:/WINNT/SYSTEM32/CMD.EXE HAS_SHORTCUT_IN_START_MENU (1176) IS_SPAWNERnode26 C:/WINNT/SYSTEM32/LSASS.EXE MALWARE_ACTION (224) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK node27StaANAAGENT.EXE (1052) node28 SYSTEM (0) node29 C:/PERL/BIN/PERL.EXE(644) SMALL_IMAGE_SIZE WRITES_TO_WINDIR WRITES_TO_REGISTRY_STARTUPIS_SPAWNER node30 C:/WINNT/FNGKHLIB.DLL TO_BE_CLEANED (0) node31C:/WINNT/SYSTEM32/CMD.EXE (0) node32 C:/WINNT/SYSTEM32/SVCHOST.EXEMALWARE_ACTION (400) SMALL_IMAGE_SIZE WINDOW_NOT_VISIBLE SURVIVE_REBOOTACTION_USED_NETWORK IS_SPAWNER node33 C:/WINNT/SYSTEM32/CMD.EXEIS_SPAWNER (1132) IS_TERMINATED MALWARE_ACTION TERMINATE_PROCESSHAS_SHORTCUT_IN_START_MENU node34 SANAAGENT.EXE (0) node35 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/AGENT/BIN/SANAUI.EXE SURVIVE_REBOOT(0) node36 C:/WINNT/SYSTEM32/SMSS.EXE SMALL_IMAGE_SIZE (140)WINDOW_NOT_VISIBLE IS_SPAWNER node37 C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXEWINDOW_NOT_VISIBLE (692) SURVIVE_REBOOT IS_SPAWNER node38C:/WINNT/SYSTEM32/SERVICES.EXE TERMINATE_PROCESS (212) MALWARE_ACTIONWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER node39C:/WINNT/SYSTEM32/PSSUSPEND.EXE IS_TERMINATED (724) WINDOW_NOT_VISIBLEnode40 C:/WINNT/SYSTEM32/WINLOGON.EXE (0) node41 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXE SMALL_IMAGE_SIZE (1016)IMAGE_CHANGED WINDOW_NOT_VISIBLE SURVIVE_REBOOT node42 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/ SMALL_IMAGE_SIZEAGENT/BIN/SANASCANNER.EXE(0) node43 C:/WINNT/EXPLORER.EXE SUFFICIENT(896) WRITES_TO_REGISTRY_STARTUP IS_SPAWNER INSTALLS_TOOLBAR node44C:/WINNT/SYSTEM32/PSKILL.EXE IS_TERMINATED (876) MALWARE_ACTIONTERMINATE_PROCESS WINDOW_NOT_VISIBLE node45 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (1024)SURVIVE_REBOOT node46 C:/WINNT/EXPLORER.EXE (0) node47C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (460) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER node48E:/CLEANUP/GUI/ALERTMFC.EXE (580) node49 C:/WINNT/SYSTEM32/SVCHOST.EXESMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node50 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/AGENT/ SMALL_IMAGE_SIZEBIN/SANASCANNER.EXE (836) WINDOW_NOT_VISIBLE node51C:/WINNT/SYSTEM32/REGSVC.EXE WINDOW_NOT_VISIBLE (512) SURVIVE_REBOOTnode52 C:/WINNT/SYSTEM32/MSTASK.EXE SURVIVE_REBOOT (0) node53 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/AGENT/BIN/SANAUI.EXE SURVIVE_REBOOT(1092) HAS_SHORTCUT_IN_START_MENU node54 C:/WINNT/SYSTEM32/SPOOLSV.EXESMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node55 C:/WINNT/SYSTEM32/LSASS.EXESMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node56 SYSTEM (8) WINDOW_NOT_VISIBLEIS_SPAWNER node57 C:/WINNT/SYSTEM32/WINLOGON.EXE WRITES_TO_WINDIR (160)WINDOW_NOT_VISIBLE IS_SPAWNER node58 C:/WINNT/SYSTEM32/SVCHOST.EXEMALWARE_ACTION (704) SMALL_IMAGE_SIZE WINDOW_NOT_VISIBLE SURVIVE_REBOOTACTION_USED_NETWORK IS_SPAWNER

TABLE B (graph edges of computer infected with the malware “Buttman”)node1->node22 INSTANCE_OF node22->node1 REGISTER node22->node30 INSTALLnode22->node17 INSTALL node7->node29 INSTANCE_OF node29->node15 SPAWNnode29->node33 SPAWN node29->node48 SPAWN node42->node50 INSTANCE_OFnode35->node53 INSTANCE_OF node4->node18 INSTANCE_OF node2->node41INSTANCE_OF node6->node45 INSTANCE_OF node46->node43 INSTANCE_OFnode43->node11 REGISTER node43->node22 SPAWN node43->node53 SPAWNnode43->node41 SPAWN node43->node45 SPAWN node43->node25 SPAWNnode43->node10 SPAWN node31->node15 INSTANCE_OF node31->node33INSTANCE_OF node31->node25 INSTANCE_OF node31->node10 INSTANCE_OFnode15->node39 SPAWN node33->node44 SPAWN node10->node29 SPAWNnode5->node9 INSTANCE_OF node55->node26 INSTANCE_OF node52->node14INSTANCE_OF node20->node44 INSTANCE_OF node16->node39 INSTANCE_OFnode13->node51 INSTANCE_OF node12->node38 INSTANCE_OF node38->node18SPAWN node38->node14 SPAWN node38->node51 SPAWN node38->node8 SPAWNnode38->node32 SPAWN node38->node47 SPAWN node38->node58 SPAWNnode38->node37 SPAWN node21->node36 INSTANCE_OF node36->node9 SPAWNnode36->node57 SPAWN node54->node8 INSTANCE_OF node49->node32INSTANCE_OF node49->node47 INSTANCE_OF node49->node58 INSTANCE_OFnode58->node23 SPAWN node19->node37 INSTANCE_OF node40->node57INSTANCE_OF node57->node26 SPAWN node57->node38 SPAWN node24->node23INSTANCE_OF node3->node48 INSTANCE_OF node34->node27 INSTANCE_OFnode27->node50 SPAWN node28->node56 INSTANCE_OF node56->node36 SPAWN

TABLE C (graph nodes related to the malware “Buttman”) node1C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/DESKTOP/ SUFFICIENTTROJANEXECUTABLES/BACKDOOR.BUTTMAN.EXE (0) SURVIVE_REBOOT TO_BE_CLEANEDnode2 C:/WINNT/ICQMAPI.DLL (0) TO_BE_CLEANED node3 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/DESKTOP/ KEYLOGGER_WINDOWS_HOOKTROJANEXECUTABLES/BACKDOOR.BUTTMAN.EXE:620 (620) SUFFICIENTWRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANED IS_TERMINATEDMALWARE_ACTION CONFIRMED_MALWARE WRITES_TO_WINDIR WINDOW_NOT_VISIBLEALERTED_MALWARE node4 C:/WINNT/FNGKHLIB.DLL (0) TO_BE_CLEANED node5C:/WINNT/EXPLORER.EXE SUFFICIENT (896) WRITES_TO_REGISTRY_STARTUPIS_SPAWNER INSTALLS_TOOLBAR

TABLE D (graph edges related to the malware “Buttman”) node1->node3INSTANCE_OF node3->node1 REGISTER node3->node4 INSTALL node3->node2INSTALL node5->node3 SPAWN

TABLE E (graph nodes of computer infected with the malware“Lyricsdomain”) node1 C:/PROGRAM FILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXEIMAGE_CHANGED (0) SMALL_IMAGE_SIZE SURVIVE_REBOOT node2 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXE IMAGE_CHANGED (0)SURVIVE_REBOOT node3 C:/WINNT/SYSTEM32/CSRSS.EXE SMALL_IMAGE_SIZE (0)node4 C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXE SUFFICIENT (0)node5 C:/UNXUTILS/RM.EXE (624) IS_TERMINATED node6 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (0) SURVIVE_REBOOTnode7 C:/WINNT/SYSTEM32/SPOOLSV.EXE SMALL_IMAGE_SIZE (428)WINDOW_NOT_VISIBLE SURVIVE_REBOOT node8 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL TO_BE_CLEANED SETTINGS/TEMP/HEKXSVY.EXE (0)node9 C:/WINNT/SYSTEM32/CSRSS.EXE SMALL_IMAGE_SIZE (164)WINDOW_NOT_VISIBLE node10 C:/WINNT/SYSTEM32/CMD.EXEHAS_SHORTCUT_IN_START_MENU (840) IS_SPAWNER node11 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL SETTINGS/ TEMPORARY INTERNETFILES/CONTENT.IE5/XYZI1KFG/ISTDOWNLOAD[1].EXE (0) node12C:/WINNT/SYSTEM32/BROWSEUI.DLL (0) node13 C:/WINNT/SYSTEM32/SERVICES.EXESURVIVE_REBOOT (0) node14 C:/PROGRAM FILES/INTERNETEXPLORER/IEXPLORE.EXE INSTALLS_COM_OBJECT (1056) SUFFICIENTACTION_USED_NETWORK IS_SPAWNER IS_TERMINATED MALWARE_ACTIONINSTALLS_TOOLBAR HAS_SHORTCUT_IN_START_MENU node15C:/WINNT/SYSTEM32/PSSUSPEND.EXE (0) node16 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXE IMAGE_CHANGED (668)WINDOW_NOT_VISIBLE SURVIVE_REBOOT node17 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/ LOCAL SETTINGS/TEMP/ICD1.TMP/YSBACTIVEX.DLL (0)node18 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCAL TO_BE_CLEANEDSETTINGS/TEMPORARY INTERNET FILES/CONTENT.IE5/ISTCD2OD/SACC.PROD.V1110.07SEP2005.EXE (0) node19C:/WINNT/SYSTEM32/PSKILL.EXE (0) node20 C:/WINNT/SYSTEM32/CMD.EXEHAS_SHORTCUT_IN_START_MENU (1176) IS_SPAWNER node21C:/WINNT/SYSTEM32/LSASS.EXE MALWARE_ACTION (224) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK node22C:/WINNT/HEKXSVY.EXE SUFFICIENT (0) SMALL_IMAGE_SIZE SURVIVE_REBOOTTO_BE_CLEANED node23 SYSTEM (0) node24 E:/CLEANUP/GUI/ALERTMFC.EXEIS_TERMINATED (1180) node25 C:/WINNT/SYSTEM32/CMD.EXE (0) node26C:/PROGRAM FILES/YOURSITEBAR/YSB.DLL TO_BE_CLEANED (0) node27 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/AGENT/BIN/SANAUI.EXE SURVIVE_REBOOT(0) node28 C:/WINNT/SYSTEM32/SMSS.EXE SMALL_IMAGE_SIZE (140)WINDOW_NOT_VISIBLE IS_SPAWNER node29 C:/WINNT/SYSTEM32/SERVICES.EXETERMINATE_PROCESS (212) MALWARE_ACTION WINDOW_NOT_VISIBLE SURVIVE_REBOOTACTION_USED_NETWORK IS_SPAWNER node30 C:/WINNT/SYSTEM32/PSSUSPEND.EXEIS_TERMINATED (1104) MALWARE_ACTION TERMINATE_PROCESS WINDOW_NOT_VISIBLEnode31 E:/CLEANUP/ENUM.EXE SMALL_IMAGE_SIZE (1144) IS_TERMINATEDWINDOW_NOT_VISIBLE node32 C:/WINNT/HEKXSVY.EXE SMALL_IMAGE_SIZE (1144)SUFFICIENT WRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANEDIS_TERMINATED WINDOW_NOT_VISIBLE ALERTED_MALWARE node33C:/WINNT/SYSTEM32/WINLOGON.EXE (0) node34 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXE SMALL_IMAGE_SIZE (1016)IMAGE_CHANGED WINDOW_NOT_VISIBLE SURVIVE_REBOOT node35C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER (1144) IS_TERMINATED MALWARE_ACTIONTERMINATE_PROCESS HAS_SHORTCUT_IN_START_MENU node36 C:/PROGRAMFILES/ISTSVC/ISTSVC.EXE SUFFICIENT (0) SMALL_IMAGE_SIZE SURVIVE_REBOOTTO_BE_CLEANED node37 C:/WINNT/EXPLORER.EXE WRITES_TO_REGISTRY_STARTUP(896) IS_SPAWNER node38 C:/PERL/BIN/PERL.EXE SMALL_IMAGE_SIZE (1080)IS_SPAWNER IS_TERMINATED WRITES_TO_WINDIR node39C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER (1188) IS_TERMINATED MALWARE_ACTIONTERMINATE_PROCESS HAS_SHORTCUT_IN_START_MENU node40C:/WINNT/EXPLORER.EXE (0) node41 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (1024)SURVIVE_REBOOT node42 C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (460)SMALL_IMAGE_SIZE WINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORKIS_SPAWNER node43 C:/PROGRAM FILES/SANASECURITY/PRIMARYRESPONSE/AGENT/BIN/ SMALL_IMAGE_SIZE SANASCANNER.EXE (836)WINDOW_NOT_VISIBLE node44 C:/UNXUTILS/RM.EXE (0) node45E:/CLEANUP/ENUM.EXE (0) SMALL_IMAGE_SIZE node46C:/WINNT/SYSTEM32/REGSVC.EXE WINDOW_NOT_VISIBLE (512) SURVIVE_REBOOTnode47 C:/PROGRAM FILES/SANASECURITY/PRIMARY RESPONSE/ SURVIVE_REBOOTAGENT/BIN/SANAUI.EXE (1092) HAS_SHORTCUT_IN_START_MENU node48C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/ SUFFICIENT LOCALSETTINGS/TEMP/IINSTALL.EXE (0) SMALL_IMAGE_SIZE TO_BE_CLEANED node49C:/PROGRAM FILES/ISTSVC/ISTSVC.EXE:860 SMALL_IMAGE_SIZE (860) SUFFICIENTWRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANEDACTION_USED_NETWORK IS_TERMINATED MALWARE_ACTION CONFIRMED_MALWAREWINDOW_NOT_VISIBLE ALERTED_MALWARE node50C:/WINNT/SYSTEM32/PSSUSPEND.EXE IS_TERMINATED (976) WINDOW_NOT_VISIBLEnode51 C:/WINNT/SYSTEM32/LSASS.EXE SMALL_IMAGE_SIZE (0) SURVIVE_REBOOTnode52 SYSTEM (8) WINDOW_NOT_VISIBLE IS_SPAWNER node53C:/WINNT/SYSTEM32/WINLOGON.EXE WRITES_TO_WINDIR (160) WINDOW_NOT_VISIBLEIS_SPAWNER node54 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCALSETTINGS/ TO_BE_CLEANED TEMP/SACC.EXE (0) node55E:/CLEANUP/GUI/ALERTMFC.EXE (0) node56 C:/WINNT/SYSTEM32/CMD.EXEIS_SPAWNER (648) IS_TERMINATED HAS_SHORTCUT_IN_START_MENU node57C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/ TO_BE_CLEANED LOCALSETTINGS/TEMPORARY INTERNET FILES/CONTENT.IE5/N3SNISZ6/ISTRECOVER[1].EXE(0) node58 C:/PERL/BIN/PERL.EXE (0) SMALL_IMAGE_SIZE node59 C:/DOCUMENTSAND SETTINGS/ADMINISTRATOR/ TO_BE_CLEANED LOCAL SETTINGS/TEMPORARYINTERNET FILES/CONTENT.IE5/AH6GBXDE/YSB[1].DLL (0) node60E:/CLEANUP/ENUM.EXE SMALL_IMAGE_SIZE (820) IS_TERMINATEDWINDOW_NOT_VISIBLE node61 C:/WINNT/SYSTEM32/PSKILL.EXE IS_TERMINATED(1192) MALWARE_ACTION TERMINATE_PROCESS WINDOW_NOT_VISIBLE node62C:/DOCUMENTS AND SETTINGS/ TO_BE_CLEANED ADMINISTRATOR/LOCALSETTINGS/TEMP/YSB.DLL (0) node63 C:/WINNT/SYSTEM32/REGSVC.EXESURVIVE_REBOOT (0) node64 C:/WINNT/SYSTEM32/MSTASK.EXE MALWARE_ACTION(528) WINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK node65C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TEMPORARYTO_BE_CLEANED INTERNET FILES/CONTENT.IE5/ISTCD2OD/ISTSVC[1].EXE (0)node66 C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXE SURVIVE_REBOOT (0) node67C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER (756) IS_TERMINATED MALWARE_ACTIONTERMINATE_PROCESS HAS_SHORTCUT_IN_START_MENU node68C:/WINNT/SYSTEM32/SMSS.EXE SMALL_IMAGE_SIZE (0) node69C:/WINNT/SYSTEM32/WUAUCLT.EXE WINDOW_NOT_VISIBLE (844) node70C:/WINNT/SYSTEM32/WUAUCLT.EXE (0) node71 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL TO_BE_CLEANED SETTINGS/TEMP/ISTSVC.EXE (0)node72 C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER (1192) IS_TERMINATEDMALWARE_ACTION TERMINATE_PROCESS HAS_SHORTCUT_IN_START_MENU node73C:/WINNT/SYSTEM32/PSKILL.EXE IS_TERMINATED (1104) MALWARE_ACTIONTERMINATE_PROCESS WINDOW_NOT_VISIBLE node74 SANAAGENT.EXE (1052) node75C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (400) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER node76SANAAGENT.EXE (0) node77 C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXEWINDOW_NOT_VISIBLE (692) SURVIVE_REBOOT IS_SPAWNER node78C:/PERL/BIN/PERL.EXE (636) SMALL_IMAGE_SIZE WRITES_TO_PGM_FILESWRITES_TO_WINDIR WRITES_TO_REGISTRY_STARTUP IS_SPAWNER node79C:/WINNT/SYSTEM32/PSKILL.EXE IS_TERMINATED (1188) MALWARE_ACTIONTERMINATE_PROCESS WINDOW_NOT_VISIBLE node80 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/ SMALL_IMAGE_SIZEAGENT/BIN/SANASCANNER.EXE (0) node81 C:/PROGRAM FILES/WINRAR/WINRAR.EXEIS_TERMINATED (640) WINDOW_NOT_VISIBLE HAS_SHORTCUT_IN_START_MENU node82C:/WINNT/SYSTEM32/SVCHOST.EXE SMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node83C:/PROGRAM FILES/WINRAR/WINRAR.EXE (0) node84 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL SETTINGS/ INSTALLS_COM_OBJECTTEMP/IINSTALL.EXE:764 (764) SMALL_IMAGE_SIZE WRITES_TO_PGM_FILESSUFFICIENT WRITES_TO_REGISTRY_STARTUP TO_BE_CLEANED ACTION_USED_NETWORKIS_SPAWNER IS_TERMINATED MALWARE_ACTION CONFIRMED_MALWAREWRITES_TO_WINDIR WINDOW_NOT_VISIBLE ALERTED_MALWARE INSTALLS_TOOLBARnode85 C:/WINNT/SYSTEM32/MSTASK.EXE SURVIVE_REBOOT (0) node86C:/WINNT/DOWNLOADED PROGRAM FILES/YSBACTIVEX.DLL (0) node87C:/WINNT/SYSTEM32/SPOOLSV.EXE SMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node88C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (704) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER

TABLE F (graph edges of computer infected with the malware“Lyricsdomain”) node48->node84 INSTANCE_OF node84->node8 INSTALLnode84->node71 INSTALL node84->node54 INSTALL node84->node62 INSTALLnode84->node59 INSTALL node84->node65 INSTALL node84->node18 INSTALLnode84->node57 INSTALL node84->node36 INSTALL node84->node49 SPAWNnode84->node26 REGISTER node84->node26 INSTALL node84->node22 INSTALLnode84->node32 SPAWN node58->node38 INSTANCE_OF node58->node78INSTANCE_OF node78->node35 SPAWN node78->node39 SPAWN node78->node72SPAWN node78->node56 SPAWN node78->node67 SPAWN node78->node31 SPAWNnode78->node60 SPAWN node78->node24 SPAWN node4->node14 INSTANCE_OFnode14->node12 REGISTER node14->node17 INSTALL node14->node48 INSTALLnode14->node84 SPAWN node14->node11 INSTALL node14->node26 REGISTERnode14->node86 REGISTER node36->node49 INSTANCE_OF node49->node36REGISTER node80->node43 INSTANCE_OF node27->node47 INSTANCE_OFnode2->node16 INSTANCE_OF node1->node34 INSTANCE_OF node6->node41INSTANCE_OF node83->node81 INSTANCE_OF node44->node5 INSTANCE_OFnode40->node37 INSTANCE_OF node37->node14 SPAWN node37->node47 SPAWNnode37->node34 SPAWN node37->node41 SPAWN node37->node81 SPAWNnode37->node20 SPAWN node37->node10 SPAWN node22->node32 INSTANCE_OFnode32->node22 REGISTER node25->node35 INSTANCE_OF node25->node20INSTANCE_OF node25->node39 INSTANCE_OF node25->node72 INSTANCE_OFnode25->node56 INSTANCE_OF node25->node67 INSTANCE_OF node25->node10INSTANCE_OF node35->node79 SPAWN node39->node61 SPAWN node72->node73SPAWN node72->node30 SPAWN node56->node50 SPAWN node67->node61 SPAWNnode10->node38 SPAWN node10->node78 SPAWN node10->node5 SPAWNnode3->node9 INSTANCE_OF node51->node21 INSTANCE_OF node85->node64INSTANCE_OF node19->node73 INSTANCE_OF node19->node79 INSTANCE_OFnode19->node61 INSTANCE_OF node15->node30 INSTANCE_OF node15->node50INSTANCE_OF node63->node46 INSTANCE_OF node13->node29 INSTANCE_OFnode29->node16 SPAWN node29->node64 SPAWN node29->node46 SPAWNnode29->node7 SPAWN node29->node75 SPAWN node29->node42 SPAWNnode29->node88 SPAWN node29->node77 SPAWN node68->node28 INSTANCE_OFnode28->node9 SPAWN node28->node53 SPAWN node87->node7 INSTANCE_OFnode82->node75 INSTANCE_OF node82->node42 INSTANCE_OF node82->node88INSTANCE_OF node88->node69 SPAWN node66->node77 INSTANCE_OFnode33->node53 INSTANCE_OF node53->node21 SPAWN node53->node29 SPAWNnode70->node69 INSTANCE_OF node45->node31 INSTANCE_OF node45->node60INSTANCE_OF node55->node24 INSTANCE_OF node76->node74 INSTANCE_OFnode74->node43 SPAWN node23->node52 INSTANCE_OF node52->node28 SPAWN

TABLE G (graph nodes related to the malware “Lyricsdomain”) node1C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TEMP/TO_BE_CLEANED HEKXSVY.EXE (0) node2 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TEMPORARY TO_BE_CLEANED INTERNETFILES/CONTENT.IE5/ISTCD2OD/SACC.PROD.V1110.07SEP2005.EXE (0) node3C:/WINNT/HEKXSVY.EXE (0) SUFFICIENT SMALL_IMAGE_SIZE SURVIVE_REBOOTTO_BE_CLEANED node4 C:/PROGRAM FILES/YOURSITEBAR/YSB.DLL TO_BE_CLEANED(0) node5 C:/WINNT/HEKXSVY.EXE SMALL_IMAGE_SIZE (1144) SUFFICIENTWRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANED IS_TERMINATEDWINDOW_NOT_VISIBLE ALERTED_MALWARE node6 C:/PROGRAMFILES/ISTSVC/ISTSVC.EXE SUFFICIENT (0) SMALL_IMAGE_SIZE SURVIVE_REBOOTTO_BE_CLEANED node7 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCALSETTINGS/TEMP/ SUFFICIENT IINSTALL.EXE (0) SMALL_IMAGE_SIZETO_BE_CLEANED node8 C:/PROGRAM FILES/ISTSVC/ISTSVC.EXE:860SMALL_IMAGE_SIZE (860) SUFFICIENT WRITES_TO_REGISTRY_STARTUPSURVIVE_REBOOT TO_BE_CLEANED ACTION_USED_NETWORK IS_TERMINATEDMALWARE_ACTION CONFIRMED_MALWARE WINDOW_NOT_VISIBLE ALERTED_MALWAREnode9 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TEMP/TO_BE_CLEANED SACC.EXE (0) node10 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TEMPORARY TO_BE_CLEANED INTERNETFILES/CONTENT.IE5/N3SNISZ6/ISTRECOVER[1].EXE (0) node11 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/LOCAL SETTINGS/ TO_BE_CLEANED TEMPORARY INTERNETFILES/CONTENT.IE5/AH6GBXDE/YSB[1].DLL (0) node12 C:/DOCUMENTS ANDSETTINGS/ TO_BE_CLEANED ADMINISTRATOR/LOCAL SETTINGS/TEMP/YSB.DLL (0)node13 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/LOCAL SETTINGS/TO_BE_CLEANED TEMPORARY INTERNETFILES/CONTENT.IE5/ISTCD2OD/ISTSVC[1].EXE (0) node14 C:/DOCUMENTS ANDSETTINGS/ TO_BE_CLEANED ADMINISTRATOR/LOCAL SETTINGS/TEMP/ISTSVC.EXE (0)node15 C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/ INSTALLS_COM_OBJECTLOCAL SETTINGS/TEMP/INSTALL.EXE:764 (764) SMALL_IMAGE_SIZEWRITES_TO_PGM_FILES SUFFICIENT WRITES_TO_REGISTRY_STARTUP TO_BE_CLEANEDACTION_USED_NETWORK IS_SPAWNER IS_TERMINATED MALWARE_ACTIONCONFIRMED_MALWARE WRITES_TO_WINDIR WINDOW_NOT_VISIBLE ALERTED_MALWAREINSTALLS_TOOLBAR node16 C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXEINSTALLS_COM_OBJECT (1056) SUFFICIENT ACTION_USED_NETWORK IS_SPAWNERIS_TERMINATED MALWARE_ACTION INSTALLS_TOOLBAR HAS_SHORTCUT_IN_START_MENU

TABLE H (graph edges related to the malware “Lyricsdomain”)node7->node15 INSTANCE_OF node15->node1 INSTALL node15->node14 INSTALLnode15->node9 INSTALL node15->node12 INSTALL node15->node11 INSTALLnode15->node13 INSTALL node15->node2 INSTALL node15->node10 INSTALLnode15->node6 INSTALL node15->node8 SPAWN node15->node4 REGISTERnode15->node4 INSTALL node15->node3 INSTALL node15->node5 SPAWNnode16->node7 INSTALL node16->node15 SPAWN node16->node4 REGISTERnode6->node8 INSTANCE_OF node8->node6 REGISTER node3->node5 INSTANCE_OFnode5->node3 REGISTER

TABLE I (graph nodes of computer infected with the malware “Nuclearrat”)node1 C:/PROGRAM FILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXE IMAGE_CHANGED(0) SMALL_IMAGE_SIZE SURVIVE_REBOOT node2 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXE IMAGE_CHANGED (0)SURVIVE_REBOOT node3 C:/WINNT/SYSTEM32/CSRSS.EXE SMALL_IMAGE_SIZE (0)node4 C:/WINNT/NR/EXAMPLE.DLL TO_BE_CLEANED (0) node5 C:/PROGRAMFILES/INTERNET EXPLORER/IEXPLORE.EXE (0) node6 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (0) SURVIVE_REBOOTnode7 C:/WINNT/SYSTEM32/CMD.EXE TO_BE_CLEANED (1028) IS_SPAWNERIS_TERMINATED HAS_SHORTCUT_IN_START_MENU node8C:/WINNT/SYSTEM32/SPOOLSV.EXE SMALL_IMAGE_SIZE (428) WINDOW_NOT_VISIBLESURVIVE_REBOOT node9 E:/CLEANUP/GUI/ALERTMFC.EXE (1000) node10C:/WINNT/SYSTEM32/CSRSS.EXE SMALL_IMAGE_SIZE (164) WINDOW_NOT_VISIBLEnode11 C:/WINNT/SYSTEM32/CMD.EXE HAS_SHORTCUT_IN_START_MENU (840)IS_SPAWNER node12 C:/WINNT/SYSTEM32/BROWSEUI.DLL (0) node13C:/WINNT/NR/EXAMPLE.EXE SUFFICIENT (0) SURVIVE_REBOOT TO_BE_CLEANEDnode14 C:/WINNT/SYSTEM32/SERVICES.EXE SURVIVE_REBOOT (0) node15C:/WINNT/SYSTEM32/PSSUSPEND.EXE (0) node16 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARESERVICE.EXE IMAGE_CHANGED (668)WINDOW_NOT_VISIBLE SURVIVE_REBOOT node17 C:/WINNT/SYSTEM32/PSKILL.EXE(0) node18 C:/WINNT/SYSTEM32/PSKILL.EXE IS_TERMINATED (724)MALWARE_ACTION TERMINATE_PROCESS WINDOW_NOT_VISIBLE node19 C:/DOCUMENTSAND SETTINGS/ADMINISTRATOR/ SUFFICIENTDESKTOP/TROJANEXECUTABLES/NUCLEARRATALL.EXE (0) TO_BE_CLEANED node20C:/WINNT/SYSTEM32/CMD.EXE HAS_SHORTCUT_IN_START_MENU (1176) IS_SPAWNERnode21 C:/WINNT/SYSTEM32/LSASS.EXE MALWARE_ACTION (224) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK node22C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER (376) IS_TERMINATED MALWARE_ACTIONTERMINATE_PROCESS HAS_SHORTCUT_IN_START_MENU node23 SYSTEM (0) node24C:/WINNT/SYSTEM32/CMD.EXE (0) node25 C:/PROGRAMFILES/SANASECURITY/PRIMARY RESPONSE/AGENT/BIN/SANAUI.EXE SURVIVE_REBOOT(0) node26 C:/WINNT/SYSTEM32/SMSS.EXE SMALL_IMAGE_SIZE (140)WINDOW_NOT_VISIBLE IS_SPAWNER node27 C:/WINNT/SYSTEM32/SERVICES.EXETERMINATE_PROCESS (212) MALWARE_ACTION WINDOW_NOT_VISIBLE SURVIVE_REBOOTACTION_USED_NETWORK IS_SPAWNER node28 C:/WINNT/SYSTEM32/PSSUSPEND.EXEIS_TERMINATED (724) MALWARE_ACTION TERMINATE_PROCESS WINDOW_NOT_VISIBLEnode29 C:/WINNT/SYSTEM32/WINLOGON.EXE (0) node30 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWARETRAY.EXE SMALL_IMAGE_SIZE (1016)IMAGE_CHANGED WINDOW_NOT_VISIBLE SURVIVE_REBOOT node31 C:/PROGRAMFILES/INTERNET EXPLORER/IEXPLORE.EXE TO_BE_CLEANED (1004)ACTION_USED_NETWORK IS_TERMINATED MALWARE_ACTION WINDOW_NOT_VISIBLETAINTED_MALWARE PROCESS_MEMORY_COMPROMISED PARENT_SURVIVED_REBOOT node32E:/CLEANUP/ENUM.EXE SMALL_IMAGE_SIZE (620) IS_TERMINATED IMAGE_CHANGEDWINDOW_NOT_VISIBLE node33 C:/WINNT/EXPLORER.EXE SUFFICIENT (896)WRITES_TO_REGISTRY_STARTUP IS_SPAWNER INSTALLS_TOOLBAR node34 C:/PROGRAMFILES/VMWARE/VMWARETOOLS/VMWAREUSER.EXE IMAGE_CHANGED (1024)SURVIVE_REBOOT node35 C:/WINNT/EXPLORER.EXE (0) node36C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (460) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER node37E:/CLEANUP/ENUM.EXE (0) IMAGE_CHANGED SMALL_IMAGE_SIZE node38C:/PERL/BIN/PERL.EXE SMALL_IMAGE_SIZE (1128) WRITES_TO_WINDIRWRITES_TO_REGISTRY_STARTUP IS_SPAWNER node39C:/WINNT/SYSTEM32/REGSVC.EXE WINDOW_NOT_VISIBLE (512) SURVIVE_REBOOTnode40 C:/PROGRAM FILES/SANASECURITY/PRIMARYRESPONSE/AGENT/BIN/SANAUI.EXE SURVIVE_REBOOT (1092)HAS_SHORTCUT_IN_START_MENU node41 C:/WINNT/SYSTEM32/LSASS.EXESMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node42 SYSTEM (8) WINDOW_NOT_VISIBLEIS_SPAWNER node43 C:/WINNT/SYSTEM32/WINLOGON.EXE WRITES_TO_WINDIR (160)WINDOW_NOT_VISIBLE IS_SPAWNER node44 E:/CLEANUP/GUI/ALERTMFC.EXE (0)node45 C:/PERL/BIN/PERL.EXE (0) SMALL_IMAGE_SIZE node46 C:/DOCUMENTS ANDSETTINGS/ADMINISTRATOR/DESKTOP/ SUFFICIENTTROJANEXECUTABLES/NUCLEARRATALL.EXE (376) TO_BE_CLEANED IS_SPAWNERIS_TERMINATED CONFIRMED_MALWARE WRITES_TO_WINDIR WINDOW_NOT_VISIBLEALERTED_MALWARE node47 C:/WINNT/SYSTEM32/PSSUSPEND.EXE IS_TERMINATED(1084) WINDOW_NOT_VISIBLE node48 C:/WINNT/SYSTEM32/REGSVC.EXESURVIVE_REBOOT (0) node49 C:/WINNT/SYSTEM32/MSTASK.EXE MALWARE_ACTION(528) WINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK node50C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXE SURVIVE_REBOOT (0) node51C:/WINNT/SYSTEM32/SMSS.EXE SMALL_IMAGE_SIZE (0) node52C:/WINNT/NR/EXAMPLE.EXE:1000 SUFFICIENT (1000)WRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANED IS_SPAWNERIS_TERMINATED P2P_CODE_INJECTION MALWARE_ACTION CONFIRMED_MALWAREWRITES_TO_WINDIR WINDOW_NOT_VISIBLE ALERTED_MALWARE node53C:/WINNT/SYSTEM32/WUAUCLT.EXE (0) node54 C:/WINNT/SYSTEM32/WUAUCLT.EXEWINDOW_NOT_VISIBLE (844) node55 C:/WINNT/SYSTEM32/CMD.EXE IS_SPAWNER(620) IS_TERMINATED HAS_SHORTCUT_IN_START_MENU node56C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION (400) SMALL_IMAGE_SIZEWINDOW_NOT_VISIBLE SURVIVE_REBOOT ACTION_USED_NETWORK IS_SPAWNER node57SANAAGENT.EXE (0) node58 C:/WINNT/SYSTEM32/WBEM/WINMGMT.EXEWINDOW_NOT_VISIBLE (692) SURVIVE_REBOOT IS_SPAWNER node59 SANAAGENT.EXE(464) node60 C:/PROGRAM FILES/SANASECURITY/PRIMARY RESPONSE/AGENT/BIN/SMALL_IMAGE_SIZE SANASCANNER.EXE (656) WINDOW_NOT_VISIBLE node61C:/PROGRAM FILES/SANASECURITY/PRIMARY RESPONSE/AGENT/ SMALL_IMAGE_SIZEBIN/SANASCANNER.EXE (0) node62 C:/WINNT/SYSTEM32/SVCHOST.EXESMALL_IMAGE_SIZE (0) SURVIVE_REBOOT node63 C:/WINNT/SYSTEM32/MSTASK.EXESURVIVE_REBOOT (0) node64 C:/WINNT/SYSTEM32/SPOOLSV.EXE SMALL_IMAGE_SIZE(0) SURVIVE_REBOOT node65 C:/WINNT/SYSTEM32/SVCHOST.EXE MALWARE_ACTION(704) SMALL_IMAGE_SIZE WINDOW_NOT_VISIBLE SURVIVE_REBOOTACTION_USED_NETWORK IS_SPAWNER

TABLE J (graph edges of computer infected with the malware “Nuclearrat”)node19->node46 INSTANCE_OF node46->node13 INSTALL node46->node52 SPAWNnode46->node7 SPAWN node45->node38 INSTANCE_OF node38->node22 SPAWNnode38->node55 SPAWN node38->node32 SPAWN node38->node9 SPAWNnode5->node31 INSTANCE_OF node61->node60 INSTANCE_OF node25->node40INSTANCE_OF node2->node16 INSTANCE_OF node1->node30 INSTANCE_OFnode6->node34 INSTANCE_OF node35->node33 INSTANCE_OF node33->node12REGISTER node33->node46 SPAWN node33->node40 SPAWN node33->node30 SPAWNnode33->node34 SPAWN node33->node20 SPAWN node33->node11 SPAWNnode13->node52 INSTANCE_OF node52->node31 SPAWN node52->node31CODE_INJECT node52->node4 INSTALL node52->node13 REGISTER node24->node7INSTANCE_OF node24->node20 INSTANCE_OF node24->node22 INSTANCE_OFnode24->node55 INSTANCE_OF node24->node11 INSTANCE_OF node22->node18SPAWN node22->node28 SPAWN node55->node47 SPAWN node11->node38 SPAWNnode3->node10 INSTANCE_OF node41->node21 INSTANCE_OF node63->node49INSTANCE_OF node17->node18 INSTANCE_OF node15->node47 INSTANCE_OFnode15->node28 INSTANCE_OF node48->node39 INSTANCE_OF node14->node27INSTANCE_OF node27->node16 SPAWN node27->node49 SPAWN node27->node39SPAWN node27->node8 SPAWN node27->node56 SPAWN node27->node36 SPAWNnode27->node65 SPAWN node27->node58 SPAWN node51->node26 INSTANCE_OFnode26->node10 SPAWN node26->node43 SPAWN node64->node8 INSTANCE_OFnode62->node56 INSTANCE_OF node62->node36 INSTANCE_OF node62->node65INSTANCE_OF node65->node54 SPAWN node50->node58 INSTANCE_OFnode29->node43 INSTANCE_OF node43->node21 SPAWN node43->node27 SPAWNnode53->node54 INSTANCE_OF node37->node32 INSTANCE_OF node44->node9INSTANCE_OF node57->node59 INSTANCE_OF node59->node60 SPAWNnode23->node42 INSTANCE_OF node42->node26 SPAWN

TABLE K (graph nodes related to the malware “Nuclearrat”) node1C:/WINNT/NR/EXAMPLE.DLL TO_BE_CLEANED (0) node2C:/WINNT/SYSTEM32/CMD.EXE TO_BE_CLEANED (1028) IS_SPAWNER IS_TERMINATEDHAS_SHORTCUT_IN_START_MENU node3 C:/WINNT/NR/EXAMPLE.EXE SUFFICIENT (0)SURVIVE_REBOOT TO_BE_CLEANED node4 C:/DOCUMENTS ANDSETTINGS/ADMTNISTRATOR/DESKTOP/ SUFFICIENTTROJANEXECUTABLES/NUCLEARRATALL.EXE (0) TO_BE_CLEANED node5 C:/PROGRAMFILES/INTERNET EXPLORER/IEXPLORE.EXE TO_BE_CLEANED (1004)ACTION_USED_NETWORK IS_TERMINATED MALWARE_ACTION WINDOW_NOT_VISIBLETAINTED_MALWARE PROCESS_MEMORY_COMPROMISED PARENT_SURVIVED_REBOOT node6C:/DOCUMENTS AND SETTINGS/ADMINISTRATOR/DESKTOP/ SUFFICIENTTROJANEXECUTABLES/NUCLEARRATALL.EXE (376) TO_BE_CLEANED IS_SPAWNERIS_TERMINATED CONFIRMED_MALWARE WRITES_TO_WINDIR WINDOW_NOT_VISIBLEALERTED_MALWARE node7 C:/WINNT/NR/EXAMPLE.EXE:1000 SUFFICIENT (1000)WRITES_TO_REGISTRY_STARTUP SURVIVE_REBOOT TO_BE_CLEANED IS_SPAWNERIS_TERMINATED P2P_CODE_INJECTION MALWARE_ACTION CONFIRMED_MALWAREWRITES_TO_WINDIR WINDOW_NOT_VISIBLE ALERTED_MALWARE node8C:/WINNT/SYSTEM32/CMD.EXE (0) node9 C:/PROGRAM FILES/INTERNETEXPLORER/IEXPLORE.EXE (0) node10 C:/WINNT/EXPLORER.EXE SUFFICIENT (896)WRITES_TO_REGISTRY_STARTUP IS_SPAWNER INSTALLS_TOOLBAR

TABLE L (graph edges of the malware “Nuclearrat”) node4->node6INSTANCE_OF node6->node3 INSTALL node6->node7 SPAWN node6->node2 SPAWNnode9->node5 INSTANCE_OF node10->node6 SPAWN node3->node7 INSTANCE_OFnode7->node5 SPAWN node7->node5 CODE_INJECT node7->node1 INSTALLnode7->node3 REGISTER node8->node2 INSTANCE_OF

FIG. 5 is a simplified block diagram of a computer system 510 suitablefor use with embodiments of the present invention. Computer system 510typically includes at least one processor 514 which communicates with anumber of peripheral devices via bus subsystem 512. These peripheraldevices may include a storage subsystem 524, comprising a memorysubsystem 526 and a file storage subsystem 528, user interface inputdevices 522, user interface output devices 520, and a network interfacesubsystem 516. The input and output devices allow user interaction withcomputer system 510. Network interface subsystem 516 provides aninterface to outside networks, including an interface to communicationnetwork 518, and is coupled via communication network 518 tocorresponding interface devices in other computer systems. Communicationnetwork 518 may comprise many interconnected computer systems andcommunication links. These communication links may be wireline links,optical links, wireless links, or any other mechanisms for communicationof information. While in one embodiment, communication network 518 isthe Internet, in other embodiments, communication network 518 may be anysuitable computer network.

User interface input devices 522 may include a keyboard, pointingdevices such as a mouse, trackball, touchpad, or graphics tablet, ascanner, a touchscreen incorporated into the display, audio inputdevices such as voice recognition systems, microphones, and other typesof input devices. In general, use of the term “input device” is intendedto include all possible types of devices and ways to input informationinto computer system 510 or onto computer network 518.

User interface output devices 520 may include a display subsystem, aprinter, a fax machine, or non-visual displays such as audio outputdevices. The display subsystem may include a cathode ray tube (CRT), aflat-panel device such as a liquid crystal display (LCD), a projectiondevice, or some other mechanism for creating a visible image. Thedisplay subsystem may also provide non-visual display such as via audiooutput devices. In general, use of the term “output device” is intendedto include all possible types of devices and ways to output informationfrom computer system 510 to the user or to another machine or computersystem.

Storage subsystem 524 stores the basic programming and data constructsthat provide the functionality of certain embodiments of the presentinvention. For example, the various modules implementing thefunctionality of certain embodiments of the invention may be stored instorage subsystem 524. These software modules are generally executed byprocessor 514.

Memory subsystem 526 typically includes a number of memories including amain random access memory (RAM) 530 for storage of instructions and dataduring program execution and a read only memory (ROM) 532 in which fixedinstructions are stored. File storage subsystem 528 provides persistentstorage for program and data files, and may include a hard disk drive, afloppy disk drive along with associated removable media, a CD-ROM drive,an optical drive, or removable media cartridges. The databases andmodules implementing the functionality of certain embodiments of theinvention may be stored by file storage subsystem 528.

Bus subsystem 512 provides a mechanism for letting the variouscomponents and subsystems of computer system 510 communicate with eachother as intended. Although bus subsystem 512 is shown schematically asa single bus, alternative embodiments of the bus subsystem may usemultiple busses.

Computer program medium 540 can be a medium associated with file storagesubsystem 528, and/or with network interface 516. The computer mediumreadable medium has code for performing methods described herein.

Computer system 510 itself can be of varying types including a personalcomputer, a portable computer, a workstation, a computer terminal, anetwork computer, a television, a mainframe, or any other dataprocessing system or user device. Due to the ever-changing nature ofcomputers and networks, the description of computer system 510 depictedin FIG. 5 is intended only as a specific example for purposes ofillustrating the preferred embodiments of the present invention. Manyother configurations of computer system 510 are possible having more orless components than the computer system depicted in FIG. 5.

While the present invention is disclosed by reference to the preferredembodiments and examples detailed above, it is to be understood thatthese examples are intended in an illustrative rather than in a limitingsense. It is contemplated that modifications and combinations willreadily occur to those skilled in the art, which modifications andcombinations will be within the spirit of the invention and the scope ofthe following claims. Various method steps can occur at least partlysimultaneously and/or at least partly contemporaneously.

1. A method of protection from harmful software on a computer,comprising: observing, at the computer, potentially harmful software onthe computer at runtime; determining, at the computer, that at leastpart of the potentially harmful software is harmful software; andremoving, at runtime, effects of the harmful software from the computerbased on at least said observing and said determining, despite attemptsby the harmful software to resist said removing.
 2. The method of clam1, wherein said determining is based on at least autonomous action bythe computer, including said observing.
 3. The method of clam 1, whereinsaid determining is based on at least input from a user of the computer.4. The method of claim 1, wherein said removing includes: reversingconfiguration changes made to the computer by the harmful software. 5.The method of claim 1, wherein said removing includes: restoringconfiguration parts of the computer affected by the harmful software tosystem defaults.
 6. The method of claim 1, wherein said removingincludes: removing files associated with the harmful software from thecomputer.
 7. The method of claim 1, wherein said removing includes:removing processes associated with the harmful software from thecomputer.
 8. The method of claim 1, wherein said method occursindependent of the computer receiving a security update subsequent toinstallation of code performing the method, the security update beinggenerated specifically for the harmful software by a security vendor ofthe code performing the method.
 9. The method of claim 1, wherein saidobserving the potentially harmful software includes observing changesmade by the potentially harmful software with approval by a user of thecomputer, and said determining and said removing occur despite theapproval by the user.
 10. The method of claim 1, wherein said removingis performed despite an absence of uninstall capability by the harmfulsoftware.
 11. A computer readable medium having a method of protectionfrom harmful software on a computer, comprising: the computer readablemedium having the method, the method including: observing, at thecomputer, potentially harmful software on the computer at runtime;determining, at the computer, that at least part of the potentiallyharmful software is harmful software; and removing, at runtime, effectsof the harmful software from the computer based on at least saidobserving and said determining, despite attempts by the harmful softwareto resist said removing.
 12. A computer having a method of protectionfrom harmful software on the computer, comprising: the computer havingthe method, wherein the method includes: observing, at the computer,potentially harmful software on the computer at runtime; determining, atthe computer, that at least part of the potentially harmful software isharmful software; and removing, at runtime, effects of the harmfulsoftware from the computer based on at least said observing and saiddetermining, despite attempts by the harmful software to resist saidremoving.
 13. A method of protection from harmful software on acomputer, comprising: observing, at the computer, potentially harmfulsoftware on the computer at runtime; determining, at the computer, thatat least part of the potentially harmful software is harmful software;and removing, at runtime, effects of the harmful software from thecomputer based on at least said observing and said determining, whereinsaid method occurs independent of the computer receiving a securityupdate subsequent to installation of code performing said method, thesecurity update being generated specifically for the harmful software bya security vendor of the code performing the method.
 14. The method ofclam 13, wherein said determining is based on at least autonomous actionby the computer, including said observing.
 15. The method of clam 13,wherein said determining is based on at least input from a user of thecomputer.
 16. The method of claim 13, wherein said removing includes:reversing configuration changes made to the computer by the harmfulsoftware,
 17. The method of claim 13, wherein said removing includes:restoring configuration parts of the computer affected by the harmfulsoftware to system defaults.
 18. The method of claim 13, wherein saidremoving includes: removing files associated with the harmful softwarefrom the computer.
 19. The method of claim 13, wherein said removingincludes: removing processes associated with the harmful software fromthe computer.
 20. The method of claim 13, wherein said observing thepotentially harmful software includes observing changes made by thepotentially harmful software with approval by a user of the computer,and said determining and said removing occur despite the approval by theuser.
 21. The method of claim 13, wherein said removing is performeddespite an absence of uninstall capability by the harmful software. 22.A computer readable medium having a method of protection from harmfulsoftware on a computer, comprising: the computer readable medium havingthe method, the method including: observing, at the computer,potentially harmful software on the computer at runtime; determining, atthe computer, that at least part of the potentially harmful software isharmful software; and removing, at runtime, effects of the harmfulsoftware from the computer based on at least said observing and saiddetermining, wherein said method occurs independent of the computerreceiving a security update subsequent to installation of codeperforming said method, the security update being generated specificallyfor the harmful software by a security vendor of the code performing themethod.
 23. A computer having a method of protection from harmfulsoftware on the computer, comprising: the computer having the method,wherein the method includes: observing, at the computer, potentiallyharmful software on the computer at runtime; determining, at thecomputer, that at least part of the potentially harmful software isharmful software; and removing, at runtime, effects of the harmfulsoftware from the computer based on at least said observing and saiddetermining, wherein said method occurs independent of the computerreceiving a security update subsequent to installation of codeperforming said method, the security update being generated specificallyfor the harmful software by a security vendor of the code performing themethod.